[watevrCTF 2019]Crypto over the intrawebs Z3求解方程式

最新推荐文章于 2024-08-26 16:39:00 发布

Paintrain

最新推荐文章于 2024-08-26 16:39:00 发布

阅读量259

点赞数

分类专栏：密码文章标签：密码学 python

本文链接：https://blog.csdn.net/m0_62506844/article/details/125577217

版权

密码专栏收录该内容

51 篇文章 4 订阅

订阅专栏

import socket, select, signal, string
import sys, os, time, random
import threading

HOST = '198.51.100.0'
PORT = 1337
USERNAME = "Houdini"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((socket.gethostname(), PORT))
key = int(s.recv(1240).decode("utf-8").split(" ")[1])

def encrypt(plaintext):
	global USERNAME
	global key
	plaintext = USERNAME + ": " + plaintext
	out = [random.randint(0, 9999), random.randint(0, 999)]
	for i in range(len(plaintext)):
		out.append((out[i+1] + ((out[i] * ord(plaintext[i])) ^ (key+out[i+1]))) ^ (key*out[i]))

import socket, select, signal, string
import sys, os, time, random
import threading

HOST = '198.51.100.1'
PORT = 1337
USERNAME = "nnewram"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((socket.gethostname(), PORT))
key = int(s.recv(1240).decode("utf-8").split(" ")[1])

def encrypt(plaintext):
	global USERNAME
	global key
	plaintext = USERNAME + ": " + plaintext
	out = [random.randint(0, 9999), random.randint(0, 999)]
	for i in range(len(plaintext)):
		out.append((out[i

import socket, threading
import sys, os
import random, signal

PORT = 1337
KEY = random.randint(0, 100000000000000000000000)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((socket.gethostname(), PORT))
s.listen(5)
client_list = []

def relay_message(message, sender):
	global client_list
	for client in client_list:
		if client != sender:
			try:
				client[0].send(message)
			except:
				client[0].close()
				client_list.remove(client)

def client_reciever(socket):
	print(socket)
	while True:
		message = socket[0].recv(500000)
		if not message:
			break
		print("Message from: " + socket[1][0] + "\nContent: " + message.decode("utf-8"))
		relay_message(message, socket)

def main():
	while True:
		client, address = s.accept() # accept all incomming clients
		client_list.append((client, address))
		print("Incomming user: " + address[0])
		client.send(bytes("KEY: " + str(KEY), "utf-8"))
		client_thread = threading.Thread(target=client_reciever, args=((client, address), ))
		client_thread.start()

#this is only for closing the sockets after sigsegv
def handler_signals(signum, frame):
	global run
	global s
	s.close()
	print("----Closed Server----")
	sys.exit()
signal.signal(signal.SIGINT, handler_signals)
signal.signal(signal.SIGTERM, handler_signals)
#this is only for closing the sockets after sigsegv

main()

通过代码审计找到加密函数：

out.append((out[i+1] + ((out[i] * ord(plaintext[i])) ^ (key+out[i+1]))) ^ (key*out[i]))

可知，只要知道out和key就能求解出明文

out就是 conversation 加密对话内容

所以解题的关键是求解key

由 KEY = random.randint(0, 100000000000000000000000) 得k的位数是76位

其次，我们其实是知道一部分明文的，因为

plaintext = USERNAME + ": " + plaintext

而USERNAME是知道的，就拿 USERNAME = "Houdini:" 举例，包括冒号共知道10个字符，

且知道加密代码：

((out[i + 1] + ((out[i] * ord(plain[i])) ^ (key + out[i + 1]))) ^ (key * out[i]))==out[i+2]

就可以得到10个方程，用z3去求解

不同的位数都可能求出key值，大概由七十六七个，爆破这些key来找到可用于解密的key

from z3 import *
from tqdm import tqdm
#print(len(bin(100000000000000000000000)[2:]))'
def decrypt():
    out=[8886, 42, 212351850074573251730471044, 424970871445403036476084342 ,5074088654060645719700112791577634658478525829848, 17980375751459479892183878405763572663247662296, 121243943296116422476619559571200060016769222670118557978266602062366168 ,242789433733772377162253757058605232140494788666115363337105327522154016 ,2897090450760618154631253497246288923325478215090551806927512438699802516318766105962219562904, 7372806106688864629183362019405317958359908549913588813279832042020854419620109770781392560]
    plain='Houdini:'
    keys=[]
    for k in tqdm(range(1,78)):
        key=BitVec('key',k)
        s=Solver()
        for i in range(8):
            s.add(((out[i + 1] + ((out[i] * ord(plain[i])) ^ (key + out[i + 1]))) ^ (key * out[i]))==out[i+2])
        
        s.check()
        res=s.model()
        res = res[key].as_long()
        #print(res)
        flag=''
        cs=open("conversation").readlines()
        for i in range(1,len(cs),2):
            ct=cs[i].split(" ")
            for i in range(1,len(ct)):
                ct[i]=int(ct[i])
            for j in range(1,len(ct)-2):
                try:#out[i+2]=(out[i+1] + ((out[i] * ord(plaintext[i])) ^ (key+out[i+1]))) ^ (key*out[i])
                    pt=((((res*ct[j])^ct[j+2])-ct[j+1])^(res+ct[j+1]))//ct[j]
                    flag+=chr(pt)
                except:
                    continue
        if "watevr{" in flag:
            print(flag)
            break

decrypt()